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1. With regard to the language, this report is based on: 

the international application in the language in which it was filed. 

□ a translation of the international application into English , which is the language of a translation furnished for the 
purposes of: 

□ international search (under Rules 12.3 and 23 1(b)) 

□ publication of the international application (under Rule 12 4(a)) 
international preliminary examination (under Rules 55.2(a) and/or 55.3(a)) 

2. With regard to the elements of the international application, this report is based on (replacement sheets which have been furnished 
Znn^ZTmwn™ reSP ° nSe 10 an ° n ^ ^'^ 14 ^ referredl ° * "" S ^ " S "ortSinally filed" and are no, 

the international application as originally filed/furnished 
1^) the description: 

Pages JLi41__^_ as originally filed/furnished 

pages* NONE received by this Authority on 

Pages* NONE received by this Authority on ' 

1^1 the claims: 

pages NQNE____ as originally filed/furnished 

pages* NONE as amended (together with 1 any statement) under Article 19 

P a e es * 42-47, 47/1 and 48 received by this Authority on 09 August 2005 f 08.08.2005) 

Pages* NONE received by this Authority on ~~ 

CXl the drawings: 

pages 1/14 - 12/14 as originally fjUA/<\* m ^rt 

pages* 13/14 and 14/14 _ received by this Authority on 09 August 2005 f09.O8.2QO5> 

Pages* NONE received by this Authority on : 



□ a sequence listing and/or any related table(s) - see Supplemental Box Relating to Sequence Listing. 

□ The amendments have resulted in the cancellation of: 

the description, pages 

□ the claims, Nos.. 



□ the drawings, sheets/figs 

□ 

the sequence listing {specify): 

O any table(s) related to the sequence listing {specify): . 



4. □ This report has been established as if (some of) the amendments annexed to this report and listed below had not been made, 
since they have been considered to go beyond the disclosure as filed, as indicated in the Supplemental Box (Rule 70.2(c)). 



□ the description, pages 
the claims, Nos.„ 



□ 

the drawings, sheets/figs 

□ 

the sequence listing {specify): 

C] any table(s) related to the sequence listing {specify): 



If item 4 applies, some or all of those sheets maybe marked "superseded. 1 
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Box No. V Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial 
applicability; citations and explanations supporting such statement 


1. Statement 








. Novelty (N) 


Claims 1-29 




YES 




Claims none 




NO 


Inventive Step (IS) 


Claims NONE 




YES 




Claims 1-29 




NO 


Industrial Applicability QA) 


Claims 1-29 




YES 




Claims NONE 




NO 



2. Citations and Explanations (Rule 70.7) 
Please See Continuation Sheet 
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In case the space in any of the preceding boxes is not sufficient, 
Continuation of: 



V. Z Citations and Explanations: 

Claim 1 lacks novelty under PCT Article 33(2) as being anticipated by Dick (US Patent Publication 2003/02 17290 Al). 

Regarding claim 1, Dick teaches a request-response based transactional auditing method for providing a centralized transactional real- 
time adaptive identity-driven audit trail over a processing device or sequence of processing devices connected by wired or wireless 
networks, said method comprising the steps of: 

selecting a communication protocol for transmitting a message from a first processing device to a second processing device in a 
transaction beginning with an incoming request and ending with an outgoing response to the incoming request (paragraph 0048); 

creating at least one audit-request object having audit data (paragraph 0042); 

embedding the audit-request object into the incoming request when the incoming request is in compliance with the 
communication protocol used downstream during a request process (paragraph 0042); 

creating at least one audit-response object at the start of a response process, said audit-response object having audit data 
(paragraph 0062); 

embedding an audit-response object in an outgoing response, said outgoing response being in compliance with the 
communication protocol upstream during the response process (paragraph 0062); 

moving the request and the response through a transaction (paragraph 0043). 

Claims 2-4 lack an inventive step under PCT Article 33(3) as being obvious over Dick (US Patent Publication 2003/02 1 7290 A 1 ) in 
view of Schaefer et al. (US Patent Publication 2002/0010867 Al). 

Regarding claim 2, Dick teaches further comprising the steps of: 

adding the Transaction ID to the audit-request object (paragraph 0062); 
verifying the audit-response object contains the Transaction ID (paragraph 0062); 

altering at least part of the audit data carried in the audit-request object or audit-response object at desired points during the 
transaction (figure 5, reference number 168); 

saving at least part of the audit data which contains at least the transaction id in the audit-request object and the audit-response 
object in persistence storage at desired points of the transaction (figure 5, reference number 1 70), and 

removing the audit-response object from the outgoing response object before the outgoing response object leaves the transaction 
entry point (paragraph 0047). 
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whereby the Transaction ID, audit-request object and audit-response object may be used to identify the transaction and log the 
events during the transaction at any point in order to provide a centralized transactional real-time adaptive identity-driven audit trail that 
enables the collection and removal of the event trail log for the transaction, and allowing persistence of the audit data of the audit-request 
object and audit-response object at the centralized user trail repository (paragraph 0046 and 0060, figure 3, reference number 100). 

Dick does not teach creating a unique Transaction ID for said transaction. Schaefer et al. teaches creating a unique Transaction ID for 
said transaction (paragraph 0077). 

Regarding claim 3, Dick as modified by Schaefer et al. teaches further comprising the step of representing the audit-request object and 
the audit-response object by XML (see paragraph 0028 of Schaefer et al.). 

Regarding claim 4, Dick as modified by Schaefer et al. teaches further comprising the step of keeping the audit data of the audit-request 
object and the audit-response object in an encrypted form during the transaction so that the audit data can be securely transmitted when 
desired (see figure 6, reference number 196 of Dick). 

Claims 5-29 lack an inventive step under PCT Article 33(3) as being obvious over Dick (US Patent Publication 2003/02 1 7290 Ai) in 
view of Schaefer et al. (US Patent Publication 2002/0010867 Al), and further in view of Eibach et al. (US Patent Publication 
2003/0084350 A. 1), 

Regarding claim 5, Dick as modified by Schaefer et al. teaches all the limitations of claims 1-3. above. However, Dick as modified by 
f^t £ f r 6t al d ° eS n0t teach fUrthcr comprising the steps of: passing downstream said audit-request object by means of at least one 
HTTP header; and passing upstream said audit-response object by means of at least one HTTP header. 

Eibach et al. teaches further comprising the steps of: passing downstream said audit-request object by means of at least one HTTP header 
(paragraph 0018); and passing upstream said audit-response object by means of at least one HTTP header (paragraph 0018). 

Regarding claim 6, Dick as modified by Schaefer et al/Eibach et al. teaches said audit-data contains user Id (see paragraph 0055 of 

Regarding claim 7, Dick as modified by Schaefer et alTEibach et al teaches said audit-data contains session Id (see paragraph 0025 of 
Eibach et al.). r & r 

Regarding claim 8, Dick as modified by Schaefer et alTEibach et al teaches said audit-data contains one or.more fields selected from the 
group consisting of user registry domain, remote connection host, remote connection ip address, roles assigned to the user, any other user 
related information like user account number (see paragraph 0023 of Eibach et al.). 

Regarding claim 9, Dick as modified by Schaefer et alTEibach et al teaches the audit-data contains TGT which contains transaction id, 
user id, token expiration time, and authorized roles for the user (see paragraph 0077 of Schaefer et al. and paragraphs 0055 & 0060 of ' 
Dick). 

Regarding claim 10, Dick as modified by Schaefer et alTEibach et al. teaches the audit-data contains one or more fields selected from the 
group consisting of policy fields: resource that needs to be protected, roles that specify if the user is allowed or denied for access this 
resource, rules that associate the user with the resource and the roles to decide who can access the said resource (see paragraph 0013 of 
Schaefer et al.). 

Regarding claim 11, Dick as modified by Schaefer et al./Eibach et al. teaches audit-data contains one or more fields selected from the 
group consisting of audit trail fields: service id, authorization status, failed reason, accessing role, service accessing time, loe-info (see 
paragraph 0056 of Schaefer etal.). 

Regarding claim 12, Dick as modified by Schaefer et al./Eibach et al. teaches said audit-data contains one or more fields selected from 
the group consisting of lifespan fields: Transaction Creation Time, Transaction expiration-time, Transaction time out (see paragraph 
0060 of Dick). 6 v 

Regarding claim 13, Dick as modified by Schaefer et alTEibach et ai. teaches further comprising the steps of loading security policies 
into memory in cached form (see paragraph 0023 of Eibach et al.). 

Regarding claim 14, Dick as modified by Schaefer et alTEibach et al teaches further comprising the steps of adding the policies 
associated with the resources requested for access to audit-data (see paragraph 0062 of Dick). 

Regarding claim 15, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of: 
authenticating a user (see paragraph 0061 of Dick), and 
authorizing a user for a given resource (see paragraph 0061 of Dick). - 
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Regarding claim 16, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of: 
authenticating a user in said first device against user registry (see paragraph 0061 of Dick); 
adding authentication event log data into audit-data (see paragraph 0023 of Eibach et al.); ' 
creating a encrypted TGT token of said user (see paragraph 0055 & 0063 of Dick); 
adding TGT token into audit-data (see paragraph 0063 of Dick); 

forwarding the audit-data containing TGT token to the said first processing device and then said second processing device 
0063 on^k)° riZat1011 Pr0 ° eSS ' Said audit * data ^toining said TGT token facilitating processing of subsequent requests (see paragraph 

returning TGT token to the requesting-client as a ticket for the next time access with the associated session id (see Darasraph 
0063 of Dick). K ytu^iu^u 

Regarding claim 17, Dick as modified by Schaefer et alTEibach et al. teaches further comprising the steps of: 
obtaining TGT token from audit-data (see figure 5, reference number 1 72 of Dick), 

decrypting TGT token to verify the user and retrieve the following (see paragraph 0055 of Dick): user id, token expiration 

time, roles assigned to said user, other relevant information stored within TGT token (see paragraph 0077 of Schaefer et al and 

paragraphs 0055 & 0060 of Dick), 

retrieving the policies associated with the resources for access from either policy store, in memory cache or audit-data (see 

figure 6A, step number 4 of Eibach et al.); 

authorizing said user based on said TGT token and said policies retrieved (see paragraph 0076 of Schaefer et al.), 

adding the authorization event log into said audit data (see paragraph 0023 of Eibach et al.), 

granting or denying resources access based on authorization status (see paragraph 0076 of Schaefer et al.), 

forwarding the audit-data containing TGT token said second processing device handling authorization process, said audit-data 

containing said TGT token facilitating processing of subsequent requests (see paragraph 0063 of Dick). 

Regarding claim 1 8, Dick as modified by Schaefer et al./Eibach et al. teaches wherein said first processing device is a proxy server and 
wherein said method further comprises the step of adding a module to said proxy server, the module adapted to allow dynamic loading of 
an m-bound filter and an out-bound filter that enable the proxy server to process a HTTP request before sending the request to a resource 
and to process a response before returning the response (see paragraph 003 1 of Eibach et a!.). 

Regarding claim 19, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of obtaining user profile for a 
user (see paragraph 0045 of Eibach et al.).. 

Regarding claim 20, Dick as modified by Schaefer et alVEibach et al. teaches further comprising the steps of: 
^ authenticating said user based on authentication and authorization API by a API vendor (see paragraph 0022 of Eibach et al.), 

authorizing said user for a given resource based on said API (see paragraph 00 13 of Schaefer et al.). 

Regarding claim 21, Dick as modified by Schaefer et alTEibach et al. teaches further comprising the steps of: 
validating data in the request (see paragraph 0044 of Eibach et al.); 
checking data integrity (see paragraph 0044 of Eibach et al.). 

Regarding claim 22, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of performing XML 
transformation (see paragraph 0047 of Eibach et al.). 

Regarding claim 23, Dick as modified by Schaefer et al./Eibach et al. teaches wherein said first processing device and said second 
processing device are connected via the internet so that web services are transfer requests and responses between said first processing 
device and said second processing device (see figure 2 of Eibach et al.), and wherein the audit data is added to the audit-request object 
and the audit-response object regarding activities of web services by the identify of the user and not by the identity of the web services 
(see paragraph 0055 of Dick). 

Regarding claim 24, Dick as modified by Schaefer et al./Eibach et al, teaches further comprising the steps of: 

inserting said audit-data via SOAP message (see abstract of Eibach et al. paragraph 0035 of Schaefer et al.), « 
convert SOAP message form of audit-data from response to other forms and moving upstream (see paragraph 0035 of Schaefer et al.). 

Regarding claim 25, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of: 

perform data-binding to transfer business data into audit trail based on the security rules specified in XSL (see paragraph 0023of 
Eibach et al.). 

Regarding claim 26, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of: 

passing downstream said audit-request object by means of at least one JMS header (see paragraph 0018 of Eibach et al.); and 
passing upstream said audit-response object by means of at least one JMS header (sec paragraph 0018 of Eibach et al.). 
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Regarding claim 27, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of: " 

0042 of Dick) PCrSISted ° Udit data t0 ° reatc entcr P rise <* ata rep"™ for system fail over to provide business continuity (see paragraph 

Regarding claim 28, Dick as modified by Schaefer et alTEibach et al. teaches further comprising the steps of: 
retrieving security policy from audit data (see paragraph 0077 of Schaefer et al.); and 

authorizing user resource access based on the security policy for authorization points located at desired location to provide multi- 
tiered authorization (see paragraph 006 1 of Dick). piuviu^ mum 

Regarding claim 29, Dick as modified by Schaefer et al./Eibach et al. teaches further comprising the steps of: 
retrieving security policy from audit data (see paragraph 0077 of Schaefer et al.); and 

authorizing user resource access based on the security policy for authorization points located at desired location to provide multi- 
tiered authorization (see paragraph 006 1 of Dick). pro viae mum 
NEW CITATIONS — 
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